Krebs on Security

In-depth security news and investigation

Which Banks Are Enabling Fake AV Scams?

Fake antivirus scams and rogue Internet pharmacies relentlessly seek customers who are willing to trade their credit card numbers for a remedy. Banks and financial institutions become partners in crime when they process payments to fraudsters.

Published research has shown that rogue Internet pharmacies and spam would be much less prevalent and profitable if a few top U.S. financial institutions stopped processing payments for dodgy overseas banks. This is also true for fake antivirus scams, which use misleading security alerts to frighten people into purchasing worthless security software.

Researchers from the University of California, Santa Barbara spent several months infiltrating three of the most popular fake antivirus (fake AV) “affiliate” networks, organized criminal operations that pay hackers to deploy the bunk software. The researchers uncovered a peculiar credit card processing pattern that was common to these scams; a pattern that Visa and MasterCard could use to detect and blacklist fake AV processors.

The pattern reflects each fake AV program’s desire to minimize the threat from “chargebacks,” which occur when consumers dispute a charge. The fake AV networks the UCSB team infiltrated tried to steer unhappy buyers to live customer support agents who could be reached via a toll-free number or online chat. When customers requested a refund, the fake AV firm either ignored the request or granted a refund. If the firm ignored the request, then the buyer could still contact their credit card provider to obtain satisfaction by initiating a chargeback; the credit card network grants a refund to the buyer and then forcibly collects the funds from the firm by reversing the charge.

Excessive chargebacks (more than 2-3 percent of sales) generally raise red flags at Visa and MasterCard, which employ a sliding scale of financial penalties for firms that generate too many chargebacks. But the fake AV companies also don’t want to issue refunds voluntarily if they think a customer won’t take the next step of requesting a chargeback.

The UCSB team found that the fake AV operations sought to maximize profits by altering their refunds according to the chargebacks reported against them, and by refunding just enough to remain below a payment processor’s chargeback limits. Whenever the rate of chargebacks increased, the miscreants would begin issuing more refunds. When the rate of chargebacks subsided, the miscreants would again withhold refunds. Consider the following diagram, from the researchers’ report, which shows a direct and very close correlation between increased chargebacks and heightened refund rates.

The researchers found that fraudsters offered more refunds (dotted line) as chargebacks (red) spiked.

The UCSB team found that of almost 2.3 million people who purchased fake AV from three affiliate networks over a three-year period, fewer than 10 percent requested a refund. An even smaller subset asked their bank to initiate a chargeback. This is exactly what I found in research that I published last summer, which highlighted the paucity of refund requests for fake AV affiliate networks run by Russian payment processor ChronoPay.

Total downloads, purchases and revenues from all three fake AV programs the UCSB team studied.

I have often written about ChronoPay’s close ties to the fake AV industry. It’s nice to see that others are witnessing this. The UCSB researchers found that all three fake AV businesses used ChronoPay’s credit card payment services. They also found communications between the processors and fake AV perpetrators revealed that the payment service providers were well aware of the fake AV businesses, and even offered advice to help the group sell more products.

“We observed that some payment processors allow an illicit company to create multiple merchant accounts in which transactions are periodically rotated (approximately every 30-45 days) through each account, such that a single account is never flagged for fraudulent activities, since the transactions — and any associated chargebacks — are distributed over all of the accounts,” the researchers wrote.

In addition, most fake AV affiliate networks typically changed the names of their products every three to seven days; that was the average time it took for victim complaints to start appearing on consumer Web forums and being indexed by search engines.

So, to answer the question in the headline of this post, I’ll name the financial institutions that agreed to process payments for these fake AV affiliate networks. According to the researchers, the banks are:

The researchers were fortunate to gain direct access to some fake AV customer records, one of which included the partial credit and debit card numbers of more than a half million people who were tricked into paying for scam software. The table below shows that about 50 percent of buyers made purchases with cards issued by the top card-issuing banks:

Maybe it’s unfair to pick on only these banks. After all, they are among the top card-issuing banks, so it’s natural that they would feature prominently in almost any customer list.

The researchers argue that Visa and MasterCard are in an extraordinary position for spotting the pattern of chargebacks and refunds that may reveal the existence of a fake AV processor.

“Payment processors or credit card networks have more information and have a better understanding of the firm’s chargeback constraints and may, therefore, be in a unique position to monitor these firms,” the researchers wrote. In other words, Visa and MasterCard could spot this activity quite easily and take action against the processor if they were motivated to do something about it.

Sometime in the next week, the third and penultimate piece in this series will report on the extent of the overlap between the credit card processing networks exploited by rogue online pharmacies and by the fake AV business.

45 comments

The focus should not only be on the banks but on the ease with which these fake AV companies are able to get merchant ids to run the cards.

Every new merchant id issued should be vetted and then spot checked to insure that the product listed on the consumers charge account is real and delivered.

I understand banks over credit cards processing as an easy way to pay but they have some responsibility to know what merchants are using their networks and what those merchants are selling.

If the banks, processors or merchant id issuers cant handle this they should hire someone who can. I know of several services that verify merhcant ids agains tthe products they sell and the charge listed on the users card.

Truth is by better vetting the merchants prior to allowing them to accept credit cards, the banks will make more money because chargebacks will be down, card re-issues will be down and bank satifaction will go up.

While I thank you for posting the offending bank complaint contacts, I wonder how much good it will do. These are the merchant account banks, and so will be pretty much immune from retail customer backlash. (Retail customers are you and I, holders of credit cards.) Compare this to what retail customers can do to BoA, HSBC, etc.

That is why I list the top “legit” issuing banks along with the shady merchant banks. When a huge percentage of transactions coming through these tiny merchant banks in Azerbaijan are pharma related (in violation of Visa’s cross border illegal transaction rules, for example) or for rogue antivirus (which is extortion), it’s time for the card associations to do something. Who knows? Maybe Bank of America or Chase or Citibank will push this issue.

More than likely, however, it will take constant “outing” in the press. Look for that here. If the “dead tree editions” of the world want to pick up the story and run with it further, all the better.

All of this will undoubtedly cause some concern. But as long as the focus is on the bottom line, the greed which fuels these schemes will continue and the ‘complacency’ of the masses will continue to feed the greed. Mark, thank you for the info.

While it may be easy for Visa and Mastercard to detect this pattern, the usability of such a test would depend greatly on the number of false positives it generates.
I could imagine that many organisations will become more liberal with issuing refunds if they are close to being penalised by the credit card company. And many shady vendors will try to get as close to this threshold as possible. That does not make them illegal, only shady. CFOs would probably call this profit maximisation.

Profit maximization is the keyword here. Every business strives there. And this keyword is, unfortunately, also the reason why Visa and MasterCard won’t change their ethics or monitoring procedures. Their chargeback thresholds are probably very well-balanced to ensure that however shady the vendors are, Visa and MasterCard never get hurt noticeably.

So, unless mainstream media, regulators and lawmakers start bringing this issue up, I’m afraid nothing will change. BTW, I can’t help but notice that Amex doesn’t seem to play a role in this – are they as dead in the US as they are in Europe?

I believe this kind of journalism is badly needed these days. It bridges the gap between technical security professionals who don’t have much of a mouthpiece and the mainstream press which usually only has a tentative grasp on the technical aspects of the story. I hope more press outlets will pick up your stories.

This was specific to a rogue online pharmacy but it holds true for any shady online market.

In it I included a diagram as well as individual descriptions of each of the specific agents that assist in making a typical spam operation profitable. Among these were what are known as “high risk merchant account providers”. These merchant account providers charge a very high rate to customers who want their credit card transactions processed fior illicit or illegal products and services, and they more than likely provide the strategically-scheduled, distributed merchant account system described above for handling charge-backs.

These account providers will process credit cards for any gross thing you can imagine: child porn, fake pharmaceutical sales, and of course the processing of any rogue or criminal product or service the individual wants.

It’s good to see these specific banks being outed for being the “last mile” processor for these transactions, but it would be good to see someone investigate one or more of these high-risk merchant account operations. They profit from this illicit activity at least as much as the scumbags running the fake AV operations, and yet they’re considered to be a legitimate business or service. I would have to imagine they would be next on the list of the UCSB researchers.

Great article Brian, why are such a small number of victims complaining?

“The UCSB team found that of almost 2.3 million people who purchased fake AV from three affiliate networks over a three-year period, fewer than 10 percent requested a refund.”

Especially since all it takes is a call to your credit card company disputing the charge. No need to call the fake A/V company asking for a refund. Just call your bank disputing the charge. These are all card-not-present transactions so the merchant takes the refund hit. Moving from less than 10% to more than 20% disgruntled customers could make these scams unprofitable. And this kind of buyer protection is part of the reason you use a credit card instead of cash, money order or checks in the first place.

Yes, Visa, MasterCard and the customer bank’s might be able to detect these patterns, but we don’t know if “good” or normal merchants may have similar patterns – they are also maximizing profits.

Hopefully the mainstream media will pick up on this story to help educate more consumers – those educated consumers are the best defense agains scams, spam, botnets, and most of the other security issues we face.

If they knew it was a fraudulent product, they wouldn’t have been taken in in the first place. The 10% are probably the people fortunate enough to have a friend or family member to explain it to them after the fact.

Perhaps, but I would wonder what the fake AV networks will do with my credit card number in the future. At least, if you complained to your financial institution that would at least show the network that you are monitoring your account. Fight! Don’t just let them sucker you in and …

I’ve said it before, and I’ll say it again…in a perfect world spammers would be hunted down like rats and their left kneecap and left hand smashed with an iron bar. After all the annoying screaming and crying and fainting is over, they would be let go with the promise — an ABSOLUTE PROMISE — that if they spam again, or ever write so much as one line of code or use their laptops for anything other than family email, they will be recaptured and their RIGHT hand and kneecap will be smashed. And just maybe something even more important will be amputated, that would be left up to the discretion of their captors. In case anyone has missed this, I hate spammers with more venom than I hold for the Taliban.

I hate spammers also, but not as much as the Taliban and all the other terrorists who kill innocents. Keep it simple – just execute them. No messing, they won’t do it again. Same for terrorists, who should be executed on sight.

As for the banks, they don’t really care, they are just after as much profit as possible. If some dodgy money sneaks through and they don’t get nabbed by the authorities for letting it through then they aren’t going to block it, it’s more profit for them. And of course it helps towards their bonuses.

I suppose this comment is going to get disliked a lot, but it is mine, I have made it and you are all free to vote as you like.

Lemme see… it took an act of congress before VISA & MasterCard were willing to stop making payments to online gambling sites. And online gambling was, as I understand it, entirely illegal in these United States well before that. So now, everybody who thinks that VISA & MC are going to voluntarily deprive themselves of THIS revenue stream, you know, just as result of a bit of public pressure, raise your hand.

Oh course, if somebody could entice Senator Lieberman to put the squeeze on them, as in the Wikileaks case, then that would be a different matter.

P.S. Anybody who believes that the five itty bitty banks (the receivers) that were listed in Brian’s article or in the report out of UCSB can be persuaded to stop THEIR involvement with these crimes is deluding themselves. Processing the illicit revenue streams from crimeware is probably a major source of profits for all of them.

Nick, I think this is… unclear. First, acquirers working with known high-risk merchants (or processors for such merchants) can charge quite a bit more than 1%… more like 10-12% for stuff in this category (more again from the processor, but the bank doesn’t see that) plus the insulate themselves from some of the risk with large holdbacks that they can recoup in case of chargebacks or fines. The other issue is that on the acquiring side you’ll frequently find an agent who “owns” the relationship who themselves may be paid on a commission basis. For them in particular the profits fro supporting high-risk may be substantial relative to other income sources. This isn’t to say that shame doesn’t work… but that economics are much more significant here than on the issuing side.

You’re right Ronbaby, given how quickly Visa keeps acting to block Wikileaks, one can only wonder why they aren’t showing that same diligence against the scammers. Guess they’re more afraid of what Wikileaks might expose than whom the scammers will exploit. Just have to up the fear scale for them that they’re aiding and abetting illegal activity for the scammers and see if that will shift them into gear.

There are methods in place that many merchants are not aware of like not allowing foreign or international charges either at the card issuing bank or the merchant accepting the card’s gateway (as a quick example).

Most consumers are only concerned with their flight miles and sadly – the majority of businesses that accept credit cards are clueless about security options (especially online).

Regardless, know who you are buying from and through. Education is key. Know your rights. It’s your money.

Great report on this issue Brian. Unfortunately I think many payment processors (Visa and MasterCard included) and banks are on the back foot with credit card frauds. They offer a reasonable amount of reactive measures (card insurance, charge monitoring etc), but not as many preventative ones.

It would be great to see them take action in light of this information though, I just hope the quality of reporting here moves into the mainstream media and forces them to do something.

Note that the card associations all do have extensive investments in preventive anti-fraud measures (and there are third-party services here as well) but they are not consumer services. Instead these are service offerings available to issuers or acquirers. However, issuers are given significant latitude in how they use such information (or whether they even choose to subscribe to them). Moreover, my sense is that much of the anti-fraud activity is focused on card theft/compromise as opposed to fraudulent merchants.

It is unfortunate to see the listing of “top banks” that obviously do almost nothing to protect their customers. This issue has been around so long you think banks that large could put some measures in place.

Credit card companies probably have some kind of research like this. They have to investigate fraudulent charges because they’re the ones who pony up the cash, and if the charges are defaulted on they’re the ones who lose the money.

Credit card companies pay merchants and wait 30 days for customers to pay their bill. So when the customer disputes the charge, the customer doesn’t pay and the CCC still has paid out the funds to the merchant. So it’s in their best interests to hunt down fraudulent companies because it’s THEIR capital that gets used.

Tensigh,
If it worked this way many things would be different. There are multiple sources of risk in a card transaction and who carries the liability is different for each. For consumer non-payment the issuer carries the risk (i.e., of a customer defaulting on their obligations… one of the many reasons issuing banks have loved debit cards). However, for fraud or chargeback risk in a card-not-present transaction, the acquirer carries the risk and for quite a long period (e.g., my memory is that MasterCard’s chargeback liability period is 6 months). If the customer disputes the charge, the acquirer is obligated to directly refund the issuer (potentially subject to a fraud investigation) as per the card association rules. Generally, acquirers word their merchant contracts so the merchants are actually on the hook for this money and hence the risk is ultimately passed on to the merchant. However, in the case where there is a concern that the merchant themselves may not honor their obligations (or may in fact be insolvent) the acquirer is still stuck with the debt. This is why high-risk merchant accounts have such high holdbacks… its precisely so they have collateral to deal with chargeback liability in case the merchant disappears. Across all of this the card association (e.g., Visa, MC) doesn’t itself carry any significant direct liability.

Thus, while issuers care about chargebacks due to opex issues (to process the chargeback requests) and card associations because it impacts the brand, for most of this kind of fakeAV activity neither carry much in the way of direct liability.

– Give customers refunds when asked to
– Operate phone based support lines
– Work to minimize their chargeback rate
– Are in the business of selling software that their users actively pay for and don’t dispute more often than other software.

How exactly are payment processors supposed to detect these merchants? They are not doing anything suspicious!

What’s more, you’re starting down a very slippery slope. You are saying these products are malicious, fake anti-virus products. You are almost certainly correct. But I say this because you are Brian Krebs who has an established track record of being right about such things. If Joe Blogger asserted the same thing it’d have to be taken with a much greater pinch of salt, result in a real investigation, etc. It’s not like you can just link AV scanners to the financial network, they have way too many false positives. If you set up a parallel justice system (which is exactly what you are advocating) you have to think through complicated and messy things, like coming up with a precise definition of malware, creating a trustworthy appeals process and having the bad/good decision made by people who don’t have conflicts of interest. Stopbadware.org fills some of this role today, but its decisions can always be opted-out of by end users. Once you start shooting merchant accounts users can’t just “opt out” anymore, so false positives are way more serious.

In short, this type of thinking is how we ended up with AML regulations that make banks, estate agents and pawnbrokers responsible for detecting terrorists. How does one spot a terrorist by looking at financial transactions? Reading the guidance governments and regulators issue makes clear the intuitive truth – you can’t do this reliably.

Stop trying to create a parallel justice system to the one we already have. Instead of blaming payment processors, blame weak institutions and corrupt law enforcement in the countries where this stuff originates.

This really isn’t rocket surgery… for anybody who seriously cares, that is. (And, as I have argued, VISA & MC don’t care, and in fact they have financial incentives for NOT caring.)

>If you set up a parallel justice system (which is
>exactly what you are advocating) you have to
>think through complicated and messy things…

You have it wrong. This is not a “parallel justice system”. What’s being advocated is nothing different from what already exists, i.e. an economic PREJUDICE system, that is to say, someone (e.g. the CC network operators) simply saying that if you are a crook, we are not obliged to do business with you, and we won’t.

These sorts of economic “prejudice” decision are made all of the time, e.g. when someone can’t get a car loan because they have a bad credit rating. Or when VISA & MC decide that they don’t much feel like processing payments for Wikileaks, despite that fact that that organization hasn’t been even INDICTED on any criminal charges in any jurisdiction, let alone convinced of anything which is in the least bit criminal. (This hasn’t happened, of course, because if it had, officials would have to also charge the New York Times, The Guardian, & Der Spiegel, which is something that even Wikileaks’ most ardent detractors are seemingly un-eager to do.)

Having worked in loss prevention for one of the top 5 banks in that list I can tell you pattern detection is in place as well as policy for this type of situation.
However you usually run into one or more of these hurdles when going through the process:
*What to do with the card number that has been used and is now vulnerable.
*Contacting this customer to find the legitimacy of this type of charge(on occasion some are confirmed by informed customers as valid)
*Detecting if the card number was willing given or unknowingly gained and used.
*Determining the length of time this charge has been reoccurring on a customers account.

Most customers are very unhappy when you tell them you have to restrict their card and send out a new one. (Everyone has a problem with delivery time, no matter how fast it is)
Customers are also not in a habit of keeping crucial contact information up-to-date with their financial institutions. So you run into incorrect address, non working telephone numbers, etc.
Some will swear up and down and all the way around that the charge is legit, and you can’t really do anything past that.
I’m also not saying anyone needs to be a CPA, but a once a month statement review is not something you should have to train a majority of society on but you would be surprised. Charges with date ranges spanning six months to a year + on your account and you’ve just noticed and want hundreds to thousands of dollars refunded with no questions asked instantaneously.
Not saying systems in place are perfect, just another prospective from an educated consumer with a little insider insight.

There is no incentive for banks to close these scam av websites if my experience is anything to go by: I had a website that sold a $20 subscription that auto-renewed (all totally bona fide and legal). Some people decided that they didnt want to renew and contacted their bank which reversed the charge (Amex does this in every case before investigating the circumstances).
They then charged us about $25 for the ‘administration costs’.
Result – for us, we lost $45. For the bank – they were $25 richer.

I’m not clear why you believe your experience is relevant to banks not targeting scam merchants.

You only lost $25 and a subscriber, not $45, and it’s your own fault.

Many legitimate businesses send a reminder to auto-renew subscribers *before* they charge credit cards. Those that don’t are taking the risk of being charged a bank fee, which is clearly spelled out in bank-merchant contracts.

We DID send out renewal reminders and if anyone asked (after being charged) we immediately issued a refund. The issue is that people suddenly notice a charge on their CC and call the CC company, rather than the retailer. About 1% of our renewals used to result in this kind of chargeback – nothing sinister, just the nature of digital subscriptions.

My point is that the banks never lose and that (like credit card companies pay-by dates always being on a Friday), There is no incentive for them to ‘clean up their act’ (except apparently when political pressure -eg. Wikileaks and online Poker sites – are involved) when they actually make more money by chargebacks when the payment is low.

Actually I forgot one other thing: We also got a lot of chargebacks caused by people using our website to ‘test’ stolen credit cards. It always struck me as unfair to penalize a company who took a payment in good faith (with CCV validation etc) only to find out it was stolen.

…And don’t get me started on the Bank-Merchant contracts and the hideous fees and commissions they charge.

Were I a facke Av provider who was cut off by an institution, I could hire hackers and botnets and otherwise harass it. Do Ihave an obligation to not sell credit card records. The non-preocessors would get the message.

The banks don’t care. I received a fake charge to my credit card statement from a company in Holland for “just” $49.99 – probably set that low because many people might ignore such a “small” amount. The company was obviously a fraud as its own website had a pre-set “complaint” form set up, however, I ignored that and went straight to Chase to demand a refund and attempt to block the company from ever charging me again. Guess what happened next month – a charge for $79.99 from the same Dutch company. This time I threated all sorts of legal action against Chase if they didn’t immediately refund the amount and block the company.

Why is it that this same company can prohibit me buying more than 3 airline tickets in one day, even though I travel extensively, yet they won’t prevent obviously fraudulent charges? They clearly don’t give a **** about their customers.